- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hey everyone,
I noticed the following changes occurred the previous weekend. Some config changes got I assume pushed from Check Point.
I cannot find anything regarding this. I suspect there is a relation with HCP update from 19-7.
Anyone else has noticed this? Below the GAIA config, they are from 2 different customers.
add cron job wsc_cpm_monitoring command "sh /opt/CPsuite-R81.10/fw1/webconsole/wsc_cpm_monitoring.sh" recurrence daily time *:*
add user cpsho_user uid 1000 homedir /home/cpsho_user
set user cpsho_user gid 100 shell /etc/cli.sh
set user cpsho_user realname "Cpsho_user"
set user cpsho_user password-hash <HASH>
add cron job wsc_cpm_monitoring command "sh /opt/CPsuite-R81/fw1/webconsole/wsc_cpm_monitoring.sh" recurrence daily time *:*
add user cpsho_user uid 1000 homedir /home/cpsho_user
set user cpsho_user gid 100 shell /etc/cli.sh
set user cpsho_user realname "Cpsho_user"
set user cpsho_user password-hash <HASH>
Hello,
I'd like to address several questions that have been raised in regars to cpsho_user.
What permissions and credentials cpsho_user has?
The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).
When is cpsho_user created?
Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.
Why is cpsho_user created?
cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files. For example Infinity Services and WebSmartConsole.
Can cpsho_user be deleted?
Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)
More information available at sk181305 .
Best Regards,
Itai
Hi,
The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.
Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.
It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.
I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.
This is a system user account related to the web console, and some other management features, with R81.10 and above. Should only appear on management servers.
Thanks for the reply Val. I am wondering how this config got there without interaction. It came a bit out of the blue.
Indeed I see the user only on mgmt systems.
Any idea how this config got pushed? And why does it need to run a task to monitor CPM?
Probably via autopudatercli as the last release of the Web Smart Console is dated from July 18th, and makes mention of the tool for offline updates. Interestingly, the web Smart Console is not listed in the components of the autoupdatercli SK.
Hello,
I'd like to address several questions that have been raised in regars to cpsho_user.
What permissions and credentials cpsho_user has?
The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).
When is cpsho_user created?
Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.
Why is cpsho_user created?
cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files. For example Infinity Services and WebSmartConsole.
Can cpsho_user be deleted?
Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)
More information available at sk181305 .
Best Regards,
Itai
I just discovered this new user on my management servers, to say I was surprised would be quite the understatement. Having an automated process that can randomly create new users on my management servers (no matter what permissions are set) is completely unacceptable and irresponsible on Check Point's part. We are heavily regulated and our management server configurations are audited. We must have justification for each and every user account on our management servers, how am I to explain this to an auditor? Check Point decided, for no reason that is well documented, to create this user? What's to stop Check Point from creating a different user account with different permissions?
We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.
Dave
I couldn't agree more.
We're in the same situation like Dave, and having such user and cron job pushed by an auto-update process is unacceptable. It is still not clear to me from which update it came in; I first thought it was from JHF109 which we recently deployed, but 1st) I am not seeing it on our "offline" managers and 2nd) users were created before JHF109 deployment, so it must be any of cpuse, IPS, ... online update services.
This situation literally means we have lost control over granting access to our devices as the vendor can (and does!) push in any user required.
The explanation in the SK about what this user exactly does is vague ("used for internal processes"); also it does not list the exact permissions and "files read". According the SK it has "Non-root permission (groupid 100)", but when checking existing users for audits reports with "show users" command, it will show "Access to Expert features" on the Privilege tab, same as "admin".
Additionally, the SK was published three days _after_ users were pushed to our servers by "admin", so to me it looks as if Check Point had to quickly explain themselves.
For the cron job, it produces error messages when it runs (we get notified about failures on cron jobs); is there any QA on this before pushing out?
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 153: service: command not found
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 155: service: command not found
tail: cannot open '/opt/CPsuite-R81.10/fw1/log/wsc_cpm_monitoring.elg' for reading: No such file or directory
I'm quoting for truth:
@David_C1 wrote:[..]We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.
Dave
adding:
"and even more concerned they are even doing it".
I am really disappointed!
Mario
I am guessing there is much more to this story than Check Point is telling us. This happened for a reason and the explanation is vague for a reason.
Dave
@Itai_Minuhin wrote:
Hello,
I'd like to address several questions that have been raised in regars to cpsho_user.
What permissions and credentials cpsho_user has?
The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).
Not exactly true - the password is obviously stored on the local management server. Can the password be changed without causing "impact on several Management features"?
When is cpsho_user created?
Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.
This account showed up on my management servers on a Sunday. WebSmartConsole was not manually installed on this day, nor was a JHF installed. What "automatic update" would trigger this?
Why is cpsho_user created?
cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files. For example Infinity Services and WebSmartConsole.
How were these "internal system purposes" handled prior to the creation of this account? Why suddenly the need for this new account to handle these processes which presumably were working before this account showed up?
Can cpsho_user be deleted?
Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)
Again, these features were working prior to this account showing up. Could you provide more details about this potential impact?
More information available at sk181305 .
Best Regards,
Itai
Dave
It appears that the only thing currently preventing a remote login (SSH/web UI) is the lack of an assigned role. If you change the password and try to login via SSH you get the following in /var/log/messages:
Aug 10 15:33:34 2023 fwmgr clish[23032]: User not logged in. He has no configured role.
Aug 10 15:33:34 2023 fwmgr clish[23032]: User cpsho_user logged out due to an error from CLI shell
Web UI gives "Permission denied"
If you assign an rba role it will happily log you in.
Either way, a vendor known static password (however long) deployed on a customer system without their consent is called a backdoor and is a security accident waiting to happen. Not what you expect from a security company.
Re-reading this:
"The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login."
Randomly generate per-install, or once by Check Point? If it is not stored anywhere how can it be used, and why is a password needed at all?
Hi,
The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.
Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.
It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.
I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.
@Tomer_Noy wrote:
Hi,
The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.
True, but if this is the case, why was the user created with Web and Clish Access enabled?
Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.
Details, please. What was previously running with full system permissions that had to be fixed with a named user? UID 1000 already existed, why the need for a named user? What bug was found (and not disclosed)?
It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.
Umm...yeah. Would this had ever been brought to light if a few of us didn't notice this additional user?
I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.
Again, details would help restore some trust.
Also, an explanation between this discrepancy:
Dave
Hi,
I have now seen 3 times at 3 different customers after upgrading from R81.10 to R81.20 we get Segmentation fault in clish when trying to back up, or after show configuration. 
After some debug I pinpointed the problem. During the the upgrade process the user "Cpsho_user" is automatically created, but this user is created without a home dir:
[Expert@s-manage03:0]# grep "passwd:cpsho_user" /config/active
passwd:cpsho_user t
passwd:cpsho_user:realname Cpsho_user
passwd:cpsho_user:gid 100
passwd:cpsho_user:uid 1000
passwd:cpsho_user:lastchg 1694536445
passwd:cpsho_user:shell /sbin/nologin
passwd:cpsho_user:passwd *
In one installation I exported the configuration, reinstalled on R81.20 and imported config and the Cpsho_user was gone, and everything worked
On the other I deleted Cpsho_user, and everything worked
And on the 3rd I added the homedir: set user cpsho_user homedir /home/cpsho_user
why is Cpsho_user not created on a fresh installed R81.20?
/gsa
Anyone else that hits this thread:
In our instance:
Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.so
cpsho_user was missing both homedir & realname
Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305
"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626
@StackCap43382 wrote:Anyone else that hits this thread:
In our instance:
Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.socpsho_user was missing both homedir & realname
Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626
Yes, we had the same issue exactly. It appeared on R81.10 after installing JHF130 over JHF95. Adding home directory helped.
Upgraded to R82 JHFA10.
HealthCheck Point (HCP) now send WARNING!
Test name                                         Status    Runtime (sec)
==========================================================================
Users in Gaia Database............................[WARNING] 0.00108
+------------------------------------------------------------------------------------------------------------------------------------+
|                                                              Results                                                               |
+====================================================================================================================================+
|                                               Gaia OS/General/Users in Gaia Database                                               |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: WARNING                                                                                                                    |
|                                                                                                                                    |
| Description: This test checks if all users in the Gaia Database have the required settings (bindings)                              |
|                                                                                                                                    |
| Summary:1 user is missing the required bindings:                                                                                   |
| User 'cpsho_user' is missing these required bindings: homedir                                                                      |
|                                                                                                                                    |
| Finding:                                                                                                                           |
| User 'cpsho_user' is missing these required bindings: homedir                                                                      |
|                                                                                                                                    |
| Finding:                                                                                                                           |
| Suggested steps in Gaia Clish for each user with missing bindings:                                                                 |
| (1) Delete the problematic user:                                                                                                   |
|     delete user <Username>                                                                                                         |
| (2) Save the changes in the Gaia Database:                                                                                         |
|     save config                                                                                                                    |
| (3) Create the required user:                                                                                                      |
|     add user <Username> uid <UID> homedir <Path>                                                                                   |
| (4) Configure the new user:                                                                                                        |
|     set user <Username> <Parameters>                                                                                               |
| (5) Save the changes in the Gaia Database:                                                                                         |
|     save config
We prefer it should not trigger security WARNING in included health check system to suggest to remove or recreate the user.
How should the homedir issue be fixed? Do I need to create it or will it be fixed in coming JHFA or in the HCP check?
/Johan
Correct homedir = add user cpsho_user uid 1000 homedir /home/cpsho_user
I would try this to see if the error is then gone.
Hi, It look like you want to add cpsho_user homedir with normal clish configuration, that does not look correct for me since I do not have anything else in clish for the cpsho_user. Different compared to some other user earlier in this thread that look like they do have it in clish. I will add it directly in the db to update passwd file instead.
That look like this if anyone else want to do the same and also do not see the cpsho_user when running in clish show configuration
dbset passwd:cpsho_user:homedir /home/cpsho_user
dbset :save
/Johan
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 18 | |
| 16 | |
| 13 | |
| 11 | |
| 10 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY